Posted
by
timothy
on Thursday February 02, 2012 @11:39AM
from the losing-the-moral-high-ground dept.

mask.of.sanity writes "Verisign admitted it was hacked repeatedly last year and cannot pin down what data was stolen. It says it doesn't believe the Domain Name System servers were hacked but it cannot rule it out. Symantec, which bought its certificate business in 2010, says also that there was no evidence that system was affected. Verisign further admitted in an SEC filing that its security team failed to tell management about the attacks until 2011, despite moving to address the hacks."

If it's just "too soon to say" and nothing more, then every one of their security people should be fired & replaced with competent people. Why? Because 2012 should not be "too soon" after hacks in 2010, to know what was stolen. If they don't know, it's probably because the hackers were excellent at hiding their tracks on the system. Actually, it better be the reason, 'cause any other reason would mean incompetence at Verisign.

Verisign runs the top-level domain DNS servers for com, net, edu, cc, name, and a few other smaller ones. If you lookup gmail (ignoring caching), you have to ask Verisign-owned servers where the google DNS servers are, so you can ask those servers what the gmail IP address is. For the security of the internet: it's pretty important.

Until late 2010, Verisign also ran the dominant SSL business. That red circle with the black digitized check at the bottom of your bank's web page? Yeah, that. The SSL business was sold to Symantec, are are trying to slowly rebrand. For the security of the internet, SSL is also kinda important.

Verisign is still the most important internet authority, they sell most of those SSL certificates that enable internet business. Also they manage.COM and.NET domain system. It has always been feared that if they get hacked the internet economy might collapse. Even now it is perhaps better just to play it down and figure out how to lower their influence..

I have never heard about any of the above organizations you mention above, so they're probably *not* "most of the internet".The EFF Observatory proyect has some interesting research on this sort of information. You should check it.

Leaving aside probable bad judgment on the security team's part in not informing management, doesn't a company like Verisign have standardized/mandatory issue tracking policies in place so it wouldn't even be a question of judgment on a team's part to inform management? Management should have a system in place to make sure they know what's going on security-wise in a business whose entire selling point is security.

"Verisign further admitted in an SEC filing that its security team informed management about the attacks immediately while at the same time moving to address the hacks, but that management ignored it because they didn't understand the implications until the lawyers took away their drinks and shrimp cocktails and made them understand"

"Verisign further admitted in an SEC filing that its security team informed management about the attacks immediately while at the same time moving to address the hacks, but that management ignored it because they didn't understand the implications until the lawyers took away their drinks and shrimp cocktails and made them understand"

Followed by the Penn State University Board of Trustees attempting to sack them all, just in case that covered things and made everything alright.

Yeah, management doesn't want to have to look at anything like that except for maybe a demo of how cool it is. As long as they aren't being bombarded by board members or customers, they probably don't really care what's going on.

I think the result is that the people in charge of the security team, and the top management need to be fired. Security is their core business, and lack of communication about something so integral to their business indicates that the top management are such monstrous assholes that they've created a seriously dysfunctional corporate culture where communication doesn't happen.

The security team had a huge failure. Management had an outright catastrophe. Management needs to be replaced entirely, which m

No way! This is so 20th century! In Star Trek: Enterprise, the Suliban were able to detect that the stolen data disks hadn't been duplicated. Clearly, it's high time to finally develop a method that would allow us to detect that we're not the only ones who have some piece of information.

I'm impressed they're admitting they've never heard of logservers. You know, those servers that're damned near inaccessible and do nothing but accept log event reports from all the other servers on their network?

Finding ways around syslogs are all the rage these days. It requires stealth. Oh, wait....

My take is that this is a genuine catastrophe. If they can't figure out what happened, there is a systematic failure that's a near death-blow. Security is what Verisign and Symantec sell. Both have been compromised, and neither of them knew what or the extent of it, and didn't in at least one case, inform management. If I were their board(s), I'd be lawyering up about now.

If I had an unknown intrusion at a CA, first thing I'd be doing is generating a new root key, getting that into all the Web browsers, then revoking and generating new keys in the hierarchy.

And causing millions of IE6 users to no longer be able to access their online banking. For a service of this size, the revocation costs are huge.

Besides, if they designed their systems in even a halfway competent manner, stealing the private key through a hack should be essentially impossible. A properly designed key signing service involves a standalone signing server that runs no services other than the signing service. The signing service accepts incoming connections, reads data in a byte at a time until either an EOF marker is reached or a certain number of bytes have been read, then sends back a signed copy of that data, then closes the connection. There is basically no way that such a service can be hacked (barring incredibly stupid programming) because it has essentially zero attack surface. Therefore, there should be essentially zero possibility of the private key being compromised (theoretical timing attacks on the key notwithstanding).

The worst case scenario is that they signed some things that they shouldn't have. However, even if they did, the CA should have an offline log that cannot feasibly be compromised (on the signing server itself), which means that the bogus keys can be revoked individually instead of revoking the master key that signed them.

Isn't this the continuation of the time VeriSign was breached in 2008 because of an unpatched FTP server facing the Internet? The hack was traced all the way to a certain jump host that used to live in LS3 on an IBM x336. You know, the jump host with complete access to every server around the world. The one that started with an R and ended with a P? Yeah, that jump host.

Oh, and lots of other places throughout the network also. They got everywhere.

I pretty much have to assume the worst: All their certificates were compromised and all their data was acquired. If they can't demonstrate these things didn't happen, they need to revoke and re-issue all their certificates, and re-sign those of their customers.

If someone had a copy of the Verisign root public keys, it doesn't matter if the providers get new keys, your browser would trust any certificate created by these keys. So if you connect to a website encrypted by certificates from a different CA, a man in the middle attack presenting a newly minted certificate using the stolen keys would not raise any alarm in any SSL browser that trusts that verisign root certificate. Which essentially means every browser in the world.

In 2009 Heartland Payment systems admitted to being hacked (150m+ credit card numbers swiped) and told the world at the exact moment the world was watching Oblama get inaugurated so nobody would notice...

TJX allows itself to be compromised for years...

Verisign - the keeper of the keys gets hacked and finally admits it...

Gee Uncle Roy! My moral compass is starting to swivel away from any notion to ever do the right thing again.

...is that the writer of the article doesn't have the slightest goddamned clue what he's talking about.

The attacks were serious because data stolen from Verisign's DNS could allow attackers to intercept unencrypted communications and redirect traffic to malicious web sites.

No, boy wonder. The DNS servers are not really the issue here. The issue is the PKI infrastructure which Verisign issues, and in particular the fact that Verisign is one of the few CAs that can issue Extended Verification (EV) certs.

If the root PKI private keys were lifted from the site then whoever had them could create valid ssl certificates for any DNS hostname that every browser and ssl stack in the world would view as real. If the same users were able to put themselves in the correct place in the network or be able to do a successful DNS poisoning attack, they would then be able to undetectably capture all data protected by the SSL public key infrastructure. So pretty much all internet data would be suspect.

I thought we learnt this from the *AA against the world debate. Stealing is taking something away from the owner denying him the use of it. Nothing was taken away from Verisign. Somethings may have been shared, which may or may not take some future business away from Verisign, since people can now get their own trusted SSL certs. Copyright wasn't meant to be eternal, they have had their time limited monopoly on those keys. Society will profit as prices for EV certs will now go through the floor. Verisign ca

I work for Symantec and wanted to clarify that Verisign, Inc. was compromised, not the Trust Services (SSL, User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec.
Symantec was NOT compromised by the corporate network security breach mentioned in the Verisign, Inc. quarterly filing.
Here is the Verisign, Inc. statement on the 2010 security breach - vrsn.cc/AwJBFb

I work for Symantec and just wanted to clarify that the Trust Services (SSL, User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were NOT compromised by the corporate network security breach mentioned in the Verisign, Inc. quarterly filing.